Secure Socket Layer/Transport Layer Security Research Articles

Ensuring the security of web applications operating on the basis of the SSL/TLS protocol

SSL/TLS (Secure Socket Layer/Transport Layer Security)-enabled web applications are designed to provide authentication based on a public key certificate, as well as generating a secure session key and traffic privacy based on a symmetric key. Today, a large number of e-commerce applications such as stock trading, banking, shopping and gaming rely on the robustness of the SSL/TLS protocol. Recently, a potential threat known as a Man-in-the-Middle or main-in-the-middle (MITM) attack has been used by attackers to attack SSL/TLS-enabled web applications, especially when users want to connect to an SSL/TLS-enabled web server. SSL/TLS. The current article discusses the Man-in-the-Middle attack threat for SSL/TLS-enabled web applications. The existing solution space for countering a MITM attack on SSL/TLS-enabled applications is also considered, and an effective solution is proposed that can resist a MITM attack on SSL/TLS-enabled applications. The proposed solution uses a soft token approach for user authentication in addition to SSL/TLS security features. The proposed solution is claimed to be safe, effective and user-friendly compared to similar approaches.

Low-Cost Conversion of Single-Zone HVAC Systems to Multi-Zone Control Systems Using Low-Power Wireless Sensor Networks.

This paper presents a novel approach to convert a conventional house air conditioning installation into a more efficient system that individually controls the temperature of each zone of the house through Wi-Fi technology. Each zone regulates the air flow depending on the detected temperature, providing energy savings and increasing the machine performance. Therefore, the first step was to examine the communication bus of the air conditioner and obtain the different signal codes. Thus, an alternative Controller module has been designed and developed to control and manage the requests on the communication bus (Bus–Wi-Fi gateway). A specific circuit has been designed to adapt the signal of the serial port of the Controller with the communication bus. For the acquisition of the temperature and humidity data in each zone, a Node module has been developed, which communicates with the Controller through the Wi-Fi interface using the Message Queuing Telemetry Transport (MQTT) protocol with Secure Sockets Layer / Transport Layer Security (SSL/TLS) certificates. It has been equipped with an LCD touch screen as a human-machine interface. The Controller and the Node modules have been developed with the ultra-low power consumption CC3200 microController of Texas Instruments and the code has been implemented under the TI-RTOS real-time operating system. An additional module based on the Raspberry Pi computer has been designed to create the Wi-Fi network and implement the required network functionalities. The developed system not only ensures that the temperature in each zone is the desired one, but also controls the fan velocity of the indoor unit and the opening area of the vent registers, which considerably improves the efficiency of the system. Compared with the single-zone system, the experiments carried out show energy savings between 75% and 94% when only one of the zones is selected, and 44% when the whole house is air-conditioned, in addition to considerably improving user comfort.

Iotverif: Automatic Verification of SSL/TLS Certificate for IoT Applications

Although extensive research has been conducted on securing the Internet of Things (IoT) communication protocols, various vulnerabilities and exploits are continuously discovered and reported. Since vulnerabilities are introduced from either insecure communication protocols or defectiveness of applications, it is difficult to identify them during the software development or testing phase. In this paper, we present IoTVerif, a system that automatically verifies the Secure Socket Layer/Transport Layer Security (SSL/TLS) certificate for IoT applications that utilize broker-based messaging protocols. IoTVerif constructs the specification of an IoT protocol and verifies its security properties, without relying on prior knowledge about communication protocols. Once the specification is constructed, a general-purpose model checker automatically verifies those properties, as well as generates counter-examples if any property does not hold. We analyze the effectiveness of IoTVerif with real-world IoT-related applications. Our evaluation results show that IoTVerif can successfully identify vulnerabilities from IoT applications, which are exploitable by the man-in-the-middle (MITM) and TLS renegotiation attacks. IoTVerif holds a great promise for reverse-engineering emerging IoT messaging protocols and identifies the vulnerabilities from IoT-related applications.

An Adaptive Encryption-as-a-Service Architecture Based on Fog Computing for Real-Time Substation Communications

The recent outbreak of industrial cyberattacks indicates that the current industrial network security architecture is under serious challenges. As one of the critical industrial networks, the heterogeneous and real-time substation network lacks compatibility with the conventional cryptography architecture represented by secure sockets layer/transport layer security (SSL/TLS) and public key infrastructure (PKI). To enhance the security of smart substations under the premise of low latency, in this article, we present a novel encryption-as-a-service architecture based on fog computing in this article. The architecture offloads encryption to dedicated devices and makes certificate and key management available through unified web services on the fog and cloud layers. Based on this architecture, we propose MX-SORTS, maximizing security on real-time communication of different services, an algorithm for adaptive configuration of encrypting and signing substation network traffic. By the contrast experiments with the conventional cryptography architecture, we prove that the encryption-as-a-service architecture can significantly improve the real-time and security performance of substation networks.

A Multilayer Secured Messaging Protocol for REST-based Services

The lack of descriptive language and security guidelines poses a big challenge to implementing security in Representational State Transfer (REST) architecture. There is over reliance on Secure Socket Layer/Transport Layer Security (SSL/TLS), which in recent times has proven to be fallible. Some recent attacks against SSL/TLS include: POODLE, BREACH, CRIME, BEAST, FREAK etc. A secure messaging protocol is implemented in this work. The protocol is further compiled into a reusable library which can be called by other REST services. Using Feature Driven Development (FDD) software methodology, a two layer security protocol was developed. The first layer is a well hardened SSL/TLS configuration. The second layer is a well-designed end-to-end protocol that handles authentication, authorization, encryption and message integrity as well as timing and replay attack prevention. The end-to-end protocol uses HMAC-512 and a hybrid encryption system using the AES and RSA algorithms. The protocol was then compiled to a reusable library using C# language. Two different tests were carried out on this protocol: Penetration test and SSL/TLS configuration test. The Penetration Test was carried out using the Open Web Application Security Project Zed Attack Proxy (OWASP ZAP) application and Fiddler Web Debugger. The SSL/TLS test sought to test the SSL/TLS layer of the protocol for known vulnerabilities using a popular SSL/TLS test tool known as SSL Lab. The raw and scaled scores obtained from SSL Lab were 95% and 93% respectively. The results of Implementation test show that the protocol is implementable. The protocol is also resistant to such attacks as: Unauthorized, Timing and Replay attacks as shown by the result of the penetration test. The grade obtained from the SSL/TLS test is “A+”. The result also shows that the implementation is not vulnerable to currently known SSL attacks. The library can be reused by .NET applications and the implementation steps can also be followed by other REST services developers using other platforms.

Towards a Secure Development Environment for Collaborative Applications

Collaborative applications use the security services offered by secure socket layer / transport layer security (SSL/TLS) to implement authentication and confidentiality. Since SSL/TLS establishes a secure communication between two participants, for a secure network of n (> 2) participants, at least n(n-1)/2 secure communication channels have to be established. Whereas, a group key agreement (GKA) protocol allows the participants to compute a common secret group key as a function of the secrets of participants, and thereby remove the n(n-1)/2 lower bound on the channel requirement. Partial forward secrecy is a property of the GKA protocol which assesses the secrecy of the group key, when the secrets are compromised. Collaborative applications have different security requirements. Hence, the Spread Toolkit offers a set of GKA protocols, so that the designers can choose the most appropriate one. In this article, given a set of GKA protocols, a method is proposed to select the best among them, with respect to partial forward secrecy.

Methods for increasing security of web servers

<p>This article is addressed in most part to people dealing with security of web servers. This paper begins with presenting the statistical dimension of the issue of data security in the modern Internet. This paper begins with presenting statistics dealing with issues of data security on the modern World Wide Web. The authors main focus in this work is presenting the challenges of dealing with security and protection of web communication. The work analyses the security of implementing SSL/TLS (Secure Socket Layer/Transport Layer Security) protocol and proposes a new method of increasing security of web servers. This article is addressed to people dealing with analysis and security of web servers.</p>

Classification of Encrypted Traffic With Second-Order Markov Chains and Application Attribute Bigrams

With a profusion of network applications, traffic classification plays a crucial role in network management and policy-based security control. The widely used encryption transmission protocols, such as the secure socket layer/transport layer security (SSL/TLS) protocols, lead to the failure of traditional payload-based classification methods. Existing methods for encrypted traffic classification cannot achieve high discrimination accuracy for applications with similar fingerprints. In this paper, we propose an attribute-aware encrypted traffic classification method based on the second-order Markov Chains. We start by exploring approaches that can further improve the performance of existing methods in terms of discrimination accuracy, and make promising observations that the application attribute bigram, which consists of the certificate packet length and the first application data size in SSL/TLS sessions, contributes to application discrimination. To increase the diversity of application fingerprints, we develop a new method by incorporating the attribute bigrams into the second-order homogeneous Markov chains. Extensive evaluation results show that the proposed method can improve the classification accuracy by 29% on the average compared with the state-of-the-art Markov-based method.

ENERGY AWARE SECURITY ALGORITHM DECISION METHOD FOR INTERNET OF THINGS USING SSL/TLS FOR WIRELESS NETWORK

The Internet of Things (IoT) is an ever evolving infrastructure of physical objects and Internet-enabled devices and systems featuring IP addresses for connectivity. Physical objects consist of home appliances, electronic gadgets, machinery, healthcare items, wearable devices and anything that could be connected to the Internet. Each type of connection requires particular types of security service. Security algorithms in user devices are fixed by default and selected based on preferences. This limitation causes energy waste since a user might be using all services in an algorithm, even those the user does not need. In order to counter this problem, we propose an energy aware security service selection method that saves energy by selecting only particular types of security service required by a given connection. In this paper, we compared the energy consumption of each communication to provide integrity, authentication, and confidentiality in Secure Sockets Layer/Transport Layer Security (SSL/TLS) with our proposed method. The experimental results demonstrate the validity of our proposed method. Our proposed method saved 54.94% energy for integrity and 74.52% for authentication.

Laribus: privacy-preserving detection of fake SSL certificates with a social P2P notary network

In this paper we present Laribus, a peer-to-peer network designed to detect local man-in-the-middle attacks against secure socket layer/transport layer security (SSL/TLS). With Laribus, clients can validate the authenticity of a certificate presented to them by retrieving it from different vantage points on the network. Unlike previous solutions, clients do not have to trust a central notary service nor do they have to rely on the cooperation of website owners. The Laribus network is based on a social network graph, which allows users to form notary groups that improve both privacy and availability. It integrates several well-known techniques, such as secret sharing, ring signatures, layered encryption, range queries, and a distributed hash table (DHT), to achieve privacy-aware queries, scalability, and decentralization. We present the design and core components of Laribus, discuss its security properties, and also provide results from a simulation-based feasibility study.

Key Encryption Method for SCADA Security Enhancement

With the growing demands of Industrial Control Systems (ICS) in all over the world, the industries such as water, electric and gas are using real time infrastructures for communication between filed devices connected within networks such as using Local Area Network (LAN). Wide Area Networks (WAN) or/and over internet to fulfill the requiremenets of industrial processing and automation. Supervisory Control and Data Acquisition (SCADA) system is part of ICS. This system is based on real-time processing infrastructure, systems control and design. In existing survey, several mechanisim/solutionms were developed for reliable delivery of data without any attack. Severla techniques were also implemented such as using secure socket layer/transport layer security (SSL/TLS), secure shell (SSH) and Internet Protocol Security (IPSec) for securing data across internet and overcoming the attacks and security because these are based on TCP/IP protocol for communication and on cryptography algorithms for the purpose of security. Based on detail SCADA security analysis, the cryptography techniques have been adopted to enhance the security of these critical systems. The proposed security solutions takes novel approach to implement the best security performance cryptography algorithms included AES, RSA and SHA-2, as a security layer within distributed network protocol (DNP3) stack. This novel approach successfully enhanced the security of DNP3 protocol as a part of SCADA system while comparing with end-to-end security implementations.

On the security of SSL/TLS-enabled applications

SSL/TLS (Secure Socket Layer/Transport Layer Security)-enabled web applications aim to provide public key certificate based authentication, secure session key establishment, and symmetric key based traffic confidentiality. A large number of electronic commerce applications, such as stock trading, banking, shopping, and gaming rely on the security strength of the SSL/TLS protocol. In recent times, a potential threat, known as main-in-the-middle (MITM) attack, has been exploited by attackers of SSL/TLS-enabled web applications, particularly when naive users want to connect to an SSL/TLS-enabled web server. In this paper, we discuss about the MITM threat to SSL/TLS-enabled web applications. We review the existing space of solutions to counter the MITM attack on SSL/TLS-enabled applications, and then, we provide an effective solution which can resist the MITM attack on SSL/TLS-enabled applications. The proposed solution uses a soft-token based approach for user authentication on top of the SSL/TLS’s security features. We show that the proposed solution is secure, efficient and user friendly in comparison to other similar approaches.

Survey on the Web Services Security Specifications

Web Services security specifications include SSL/TLS (Secure Socket Layer/Transport Layer Security), XML Encryption, XML Signature, WS-Security specification family, PKI-related specifications etc. SSL/TLS are implemented in non-XML frameworks at the transport level, and others are implemented in XML frameworks at the application level. These specifications can satisfy the different requirements of Web Services security (confidentiality, integrity, authenticity, authorization, authentication and nonrepudiation). XML-based specifications are propitious to the integration and interoperability of Web Services security. SSL/TLS is sufficient for the basic generic security of internal Web Services projects. WS-Security is probably overkill, especially with the heavy XML processing that is involved in WS-Security.

Assessing Anti-Phishing Awareness among Undergraduate Students in India

Fraudulent activities on the Internet, especially phishing, have grown to an unprecedented level. Phishing can result in identity theft, financial losses and can also clog an email server. Although a number of technologies related to counter-measures ranging from SSL/TLS (Secure Sockets Layer/Transport Layer Security) to web browser-based warnings have been explored, user awareness remains fundamental against any anti-phishing activity. With the growing unemployment in India, a very large amount of undergraduate students are at a risk of becoming an innocent prey of phishers offering lucrative jobs. This study was conducted to empirically investigate the incidence of undergraduate students becoming victims of phishing attacks in India. We simulated a scenario where students were required to visit a fake website and give details of personal login information. Students irrespective of their computer knowledge visited the phishing website ignoring the information given on the security bar in the web browser.

Securing SCADA systems

PurposeSupervisory control and data acquisition (SCADA) systems are widely used by utility companies during the production and distribution of oil, gas, chemicals, electric power, and water to control and monitor these operations. A cyber attack on a SCADA system cannot only result in a major financial disaster but also in devastating damage to public safety and health. The purpose of this paper is to survey the literature on the cyber security of SCADA systems and then suggest two categories of security solutions.Design/methodology/approachThe paper proposes the use of secure socket layer/transport layer security (SSL/TLS) and IP security (IPsec) solutions, implemented on the test‐bed at the University of Louisville, as the optimal choices when considering the level of security a solution can provide and the difficulty of implementing such a security measure. The paper analyzes these two solution choices, discuss their advantages and disadvantages, and present details on efficient ways of implementing these solutions.FindingsThe SSL/TLS solution to the protocol security using public domain toolkits such as OpenSSL may provide a fast, effective, and economical solution. However, the SSL/TLS protocol and its implementation toolkits have their limitations so this approach may need another enhancement.Practical implicationsIPsec can be used to provide IP‐level security in addition to SSL/TLS.Originality/valueThe use of these enhanced security approaches in SCADA systems should effectively reduce the vulnerability of these critical systems to malicious cyber attacks, and thereby potentially avoiding the serious consequences of such attacks.

A practical SSL server performance improvement algorithm based on batch RSA decryption

The secure socket layer/ transport layer security(SSL/TLS) handshake protocol uses public key cryptographic algorithms such as RSA for key establishment. Typically, public key cryptographic algorithm is computational intensive due to the modular multiplications. Therefore, SSL/TLS servers often become swamped while performing public key decryptions when the simultaneous requests increase quickly. A batch RSA decryption algorithm was proposed. The novel algorithm provides the reasonable response time and optimizes server performance significantly. The decryption speedup is proportional to the batch size b, for instance, the speedup factor is 4, while in Shacham’s scheme the acceleration rate is only 2.5 when b = 4.